b'             U.S. Department of Agriculture\n\n                Office of Inspector General\n                         Southwest Region\n\n\n\n\n      Audit Report\n\n\n\n  Application Controls Over\n  the Processed Commodity\nInventory Management System\n\n\n\n\n                 Audit Report 50601-13-Te\n                                July 2006\n\x0c                       UNITED STATES DEPARTMENT OF AGRICULTURE\n\n                                       OFFICE OF INSPECTOR GENERAL\n\n\n                                              Washington D.C. 20250\n\n\n\n\nJuly 27, 2006\n\n\n\nREPLY TO\nATTN OF:        50601-13-Te\n\nTO:             Teresa C. Lasseter\n                Administrator\n                Farm Service Agency\n\nATTN:           T. Mike McCann\n                Director\n                Operations Review and Analysis Staff\n\nFROM:           Robert W. Young /s/\n                Assistant Inspector General\n                 for Audit\n\nSUBJECT:        Application Controls Over the Processed Commodity Inventory Management System\n\n\nSUMMARY:\nOur review of the Processed Commodity Inventory Management System (PCIMS)\xe2\x80\x94a system used by\nseveral agencies, including the Farm Service Agency (FSA), to acquire, track, and distribute\napproximately $2.5 billion of annual domestic and foreign food assistance\xe2\x80\x94sought to determine if\napplication controls are in place and functioning effectively to ensure that transactions are properly\nauthorized, and completely and accurately processed. Since we found that PCIMS\xe2\x80\x99 application\ncontrols are in place and functioning effectively, we have closed our files for this audit. No further\naction is required.\n\nBACKGROUND:\nPCIMS is an integrated data management system developed to assist the Agricultural Marketing\nService (AMS), FSA, and the Food and Nutrition Service (FNS) in purchasing food commodities and\ndistributing them to recipients worldwide. Although each agency has its own distinct mission and\nrequirements, AMS, FSA, and FNS have collaborated in developing, operating, and maintaining\nPCIMS, as its functions are interrelated to make a joint computer system for these three agencies\npractical.\n\x0cTeresa Lasseter                                                                                                                      2\n\n\nApplication controls are the structures, policies, and procedures that apply to individual application\nsystems, such as accounts payable, inventory, payroll, grants, or loans. These controls encompass both\nthe routines within the computer program code, and the policies and procedures associated with user\nactivities, such as the procedures users must follow to ensure that transactions are valid, properly\nauthorized, and completely and accurately processed by the computer. In general, the U.S. Department\nof Agriculture is required to implement application controls to ensure that adequate security is\nprovided for all agency information collected, processed, transmitted, stored, or disseminated in\ngeneral support systems and major applications. 1\n\nOBJECTIVE:\nWe initiated this audit to ensure that PCIMS\xe2\x80\x99 application controls meet the Office of Management and\nBudget\xe2\x80\x99s (OMB) requirements, 2 and are functioning effectively to ensure that transactions are\nproperly authorized, and completely and accurately processed.\n\nSCOPE AND METHODOLOGY:\nThe audit was conducted at FSA and FNS Headquarters in Washington, D.C.; at the Kansas City\nCommodity System Office in Kansas City, Missouri; and at the FNS Regional Office in Dallas, Texas.\nFieldwork was performed from March 2005 to July 2006. We reviewed transactions processed in\nApril 2005.\n\nTo accomplish our audit objectives, we:\n   1. reviewed agency, Departmental, and other federally mandated information technology security\n       policies and procedures;\n\n    2. interviewed AMS, FNS, and FSA officials responsible for developing and managing PCIMS,\n       as well as for entering data into the system;\n\n    3. evaluated and tested data authorization, completeness, and accuracy controls; and\n\n    4. analyzed transactions to validate data integrity.\n\nThe audit was conducted in accordance with Government auditing standards.\n\nRESULTS:\nAlthough FSA planned to have an updated PCIMS security plan in place by September 2005, we noted\nPCIMS\xe2\x80\x99 security plan had not been revised since July 2004. FSA was aware of this condition, as it had\nbeen identified by security reviews and audits conducted in fiscal year 2004, including an audit\nperformed by the Office of Inspector General (OIG), 3 and security reviews performed by Science\nApplications International Corporation and KPMG Peat Marwick LLP. We notified the agency\xe2\x80\x99s\ninformation systems security program manager that the PCIMS\xe2\x80\x99 security plan had not been updated as\nscheduled. He explained that the delay was due to both FSA\xe2\x80\x99s failure to communicate with the\ncontractors hired to annually update the PCIMS\xe2\x80\x99 security plan and to validate that all security plans\n\n1\n  OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d\nupdated in 1996, and of Public Law 100-235, \xe2\x80\x9cComputer Security Act of 1987.\xe2\x80\x9d\n2\n  OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d\nupdated in 1996, and of Public Law 100-235, \xe2\x80\x9cComputer Security Act of 1987.\xe2\x80\x9d\n3\n  OIG Audit Report 06401-17-FM, \xe2\x80\x9cCommodity Credit Corporation\xe2\x80\x99s Financial Statements for Fiscal Years 2004 and 2003.\xe2\x80\x9d\n\x0cTeresa Lasseter                                                                               3\n\n\nwere complete. Effective April 28, 2006, PCIMS\xe2\x80\x99 security plan was updated and prepared for\nsubmission to the Associate Chief Information Officer for Cyber Security.\n\nOur review found no additional weaknesses. Since we have no additional findings and FSA has taken\ncorrective action on the weakness identified, we are making no recommendations to management. No\nreply to this report is necessary.\n\nWe appreciate the assistance you and your staff provided us during this review.\n\x0c'